/tags/scanrules/ Recent content in Scanrules on ZAP Hugo en-us Wed, 03 Sep 2025 00:00:00 +0000 /blog/2025-09-03-configuring-scan-policies-with-alert-tags/ Wed, 03 Sep 2025 00:00:00 +0000 /blog/2025-09-03-configuring-scan-policies-with-alert-tags/ A new feature in ZAP&rsquo;s automation framework allows you to configure scan policies using alert tags, making it easier to target specific types of vulnerabilities without manually managing individual scan rules. /blog/2025-07-25-the-new-zap-is-out-of-date-rule/ Fri, 25 Jul 2025 00:00:00 +0000 /blog/2025-07-25-the-new-zap-is-out-of-date-rule/ If you are using an old version of ZAP then you might start seeing a new alert&hellip; /blog/2025-07-22-timing-rule-changes/ Tue, 22 Jul 2025 00:00:00 +0000 /blog/2025-07-22-timing-rule-changes/ Scan rules related to time based attacks have been split or renamed. /blog/2024-07-17-script-scan-rules/ Wed, 17 Jul 2024 00:00:00 +0000 /blog/2024-07-17-script-scan-rules/ ZAP scripts can now do everything that scan rules can. /blog/2024-06-27-polyfill.io-script-detection/ Thu, 27 Jun 2024 00:00:00 +0000 /blog/2024-06-27-polyfill.io-script-detection/ A new scan rule which allows you to find out which of your sites are loading scripts from polyfill.io really quickly. /blog/2022-04-04-spring4shell-detection-with-zap/ Mon, 04 Apr 2022 00:00:00 +0000 /blog/2022-04-04-spring4shell-detection-with-zap/ How to detect Spring4Shell with the new Spring4Shell Alpha Active Scan Rule. /blog/2021-12-10-zap-and-log4shell/ Fri, 10 Dec 2021 00:00:00 +0000 /blog/2021-12-10-zap-and-log4shell/ ZAP appears to be impacted by the Log4Shell vulnerability - CVE-2021-44228. We have released ZAP 2.11.1 which fixes the problem, this blog post gives more information and the impact on older versions of ZAP. /blog/2014-04-30-hacking-zap-4-active-scan-rules/ Wed, 30 Apr 2014 00:00:00 +0000 /blog/2014-04-30-hacking-zap-4-active-scan-rules/ <p>Welcome to a <a href="https://github.com/zaproxy/zaproxy/wiki/Development#hacking-zap">series of blog posts</a> aimed at helping you “hack the ZAP source code”.<br> The previous post in this series is: <a href="/blog/2014-04-03-hacking-zap-3-passive-scan-rules/">Hacking ZAP #3 - Passive scan rules</a></p> <p>Active scan rules are another relatively simple way to enhance ZAP. Active scan rules attack the server, and therefore are only run when explicitly invoked by the user. You should only use active scan rules against applications that you have permission to attack.<br> You can also write active scan rules dynamically using scripts, as we will see later in this series, but even then it&rsquo;s very useful to understand some of the concepts underlying classes available to you.</p> /blog/2014-04-03-hacking-zap-3-passive-scan-rules/ Thu, 03 Apr 2014 00:00:00 +0000 /blog/2014-04-03-hacking-zap-3-passive-scan-rules/ <p>Welcome to a <a href="https://github.com/zaproxy/zaproxy/wiki/Development#hacking-zap">series of blog posts</a> aimed at helping you “hack the ZAP source code”.<br> The previous post in this series is: <a href="/blog/2014-03-20-hacking-zap-2-getting-started/">Hacking ZAP #2 - Getting Started</a></p> <p>One of the easiest ways to enhance ZAP is to write new passive scan rules.<br> Passive scan rules are used to warn the user of potential vulnerabilities that can be detected passively - they are not allowed to make any new requests or manipulate the requests or responses in any way.<br> They typically run against all of the requests and responses that flow through ZAP.<br> Passive rules run in separate background thread so that they have as little effect on performance as possible.</p>